'Witty' Worm Wrecks Computers

Internet Security systems Security Alert March 20, 2004

BlackICE Witty Worm Propagation

Synopsis:

ISS X-Force has learned of a worm that is spreading via the ICQ parsing
vulnerability in ISS products that was announced on March 18th. The worm
targets unpatched versions of the BlackICE PC Protection product. If a
vulnerable system is infected, the Witty worm attempts to propagate by
scanning random IP addresses. The Witty worm progressively writes junk 
data to physical hard drives after transmitting 20,000 packets, causing 
data damage.

Impact:

The Witty worm uses hard-coded addresses and only has the ability to
infect certain builds of the Protocol Analysis Module (PAM). The Witty
worm is destructive to the target system, and overwrites key hard disk
sectors after sending out its payload. The junk data written to disk
may impact system stability and cause a "blue screen" to occur upon reboot.

The Witty worm only infects specific builds of PAM listed below, and can 
only infect Win32 systems.

Affected Versions:

BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf

Note: No Proventia products are affected by the Witty worm. The newest
updates for all products are not vulnerable to exploitation. 

Description:

The Witty worm exploits a stack-based overflow in ICQ response parsing
in the Protocol Analysis Module (PAM) of ISS products. It is a memory-
resident worm only, and contains no file payload. Witty propagates via
UDP, sending UDP packets with a random destination and destination port.
The source port of Witty traffic is 4000, and the source address is not
spoofed.

The worm will attempt to propagate immediately by sending copies of
itself out across the wire to random targets. After sending a predefined
number of packets, Witty attempts to open a randomly determined physical
drive and write 64k of data to a random location. This cycle repeats for 
every 20,000 packets sent.

Recommendations:

ISS Product updates that address this vulnerability have been available
since March 9, 2004. These updates are accessible via the ISS Download
Center:

http://www.iss.net/download/

ISS X-Force recommends that networks block UDP packets with a source
port of 4000 at the network gateway to block inbound worm propagation.

Data on infected systems may be damaged. ISS X-Force recommends that
systems that are infected are removed from the network, and powered 
down. ISS X-Force further recommends that data recovery techniques
are employed to assess damage and to recover data.

Doesn't sound quite as destructive as the Wash Pest would have us believe. However anyone who wants to throw up their hands over this one is quite welcome to mail me their "destroyed" computer or hard drive.

Norton says that since the worm only resides in memory it is undetectable by antivirus products. The tech data is confusing, IMHO, but it seems to involve a combination of ICQ and Black Ice.

Frankly, I switched from Black Ice to ZoneAlarm a couple of years ago. I admit I haven't kept up with Black Ice updates since then, especially after they started charging extra money for updates after you had already registered the shareware.

I have a pix, and my primary computer is an imac g4. IMO, this is not really something to pin on Windows - it's an application with a flaw that only runs on that os.

Frankly, I switched from Black Ice to ZoneAlarm a couple of years ago

IF macs were as popular as pc's and windows, you would see mac's dying and pc owners gloatings.

And if Ferraris had been as numerous as Pintos, it would have been the Ferraris blowing up in rear-end collsions.

Users not running a vulnerable BlackIce product can't get infected by this worm.

W32/Witty.worm is a network worm that tries to exploit the ISS/PAM ICQ module vulnerability (see ISS advisory ) of BlackIce products.

This worm does not spread per EMail, user do not have to click anything and can't see anything of the infection process.

It does not create any registry keys in order to get executed on system boot. Rebooting an infected system removed the virus from memory.

When a malicious packet hits a vulnerable machine, the worm will get executed in memory and start to spread from the new victim.

The worm first sends out 20.000 packets from UDP port 4000 to random IP addresses and random ports. Than it writes 64kb of the exploited DLL to a random position on the harddrive. After that, it starts spreading again and loops.

The payload, writing 65K byte to a random position on the disk, will result in corrupted files. The longer a machine is infected, the more parts of the harddrive will get damaged! Tests proofed that a machine beeing infected for 10 minutes wasn't able to reboot because of damaged system files.

Damaged files needs to get replaced from a backup - they can't get cleaned.

Version 'BlackIce 3.6.ccf ' is affected by this worm, the latest available version (BlackIce 3.6.ccg) as well as version 3.5 and prior are not!

A patch for BlackIce products is available at:
http://blackice.iss.net/update_center/index.php

Indications of Infection

Outgoing UDP network traffic from port 4000 to random IP addresses.
Corrupted files on disk.
System reacts very slow.
BLACKD.EXE has about 99% CPU usage.
System may gets unstable or unable to boot.

Method of Infection

The worm infectes machines by exploiting a vulnerabiliry in some BlackIce products.

I'd just change a few numbers on spreadsheets and misspell words in some documents.

Now that is a good idea. But its probably beyond what can be put into a small email virus. How about one that adds a couple of words outgoing email? Maybe lets it slip out that the boss is embezzling?

Course that's pretty canned and people will catch on. I like the idea of manipulating Excel database.

Dare I say it?

Go ahead... you'll feel better.

Go ahead... you'll feel better.

uh-kay!

ehhem.

Shoulda got a ... something that won't run black ice!

.. exploiting a security flaw in a firewall program...

Oy... what else is there to say?